Top Down Security (or How To Learn To Love Information Security And Get It Into The Boardroom)

Originally published on the Darlingtons Solicitors Blog 23.11.12 You say the word security to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe. Others go a bit Mission Impossible and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket. This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, its a bit more useful. Yeah, IT does Security According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

Milky Way and our Solar System - image Ecology.com

As we are talking about Information Security (IS) lets put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisations use of Information were the Milky Way for instance, IT might be our solar system see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that IT do security. IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT important as they may be. An organisations IS needs to be aligned to its Risk Appetite but if accountability for it is placed in IT then realising this will be challenging. Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology cant mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation. Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them. Place your bets! Place your bets! Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it
Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisations risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite. How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project which wont be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the businesss overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the users data alone that was compromised, with BYOD the scope of data available increases vastly as an organisations information assets open up to that user. InfoSecurity share the love The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities. If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation. It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisations Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.

www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
Our blogs www.adventim.wordpress.com

www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com www.adventimschoolsecurity.wordpress.com

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM